[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Paul Vixie
paul at redbarn.org
Tue Sep 6 11:28:24 UTC 2016
sthaug at nethelp.no wrote:
>> one ethics canary is "how would the world be if everyone did what i'm
>> considering doing?" and in this case the attackers would switch to some
>> other qtype than ANY, and continue as before. this would make it harder
>> to detect, and surreptitiously backtrack, these attacks, since they
>> would fade moreso into the background. a net loss for the defense.
>
> I'm very willing to believe that some attackers switch. However, the
> observed behavior from "my" name servers is that attackers continue
> using ANY queries in a significant majority of the cases. Only once in
> a while do we see attacks based on TXT or some other type of query.
>
> Thus from my point of view, restricting ANY queries (for instance by
> forcing truncation and switch to TCP) still seems like a net win.
you are not playing this game to win. think economics. think area under
the curve.
> YMMV.
no. we will, together, live in the world that blocking ANY will create.
--
P Vixie
More information about the dns-operations
mailing list